Palo Alto Expedition: From N-Day to Full Compromise

Palo Alto Expedition: From N-Day to Full Compromise

On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a vulnerability which allowed attackers to remotely reset the Expedition application admin credentials. While we had never heard of Expedition application before, it’s advertised as: The purpose of this tool is to help reduce the time and efforts ... Read More
CVE-2024-28987: SolarWinds Web Help Desk Hardcoded Credential Vulnerability Deep-Dive

CVE-2024-28987: SolarWinds Web Help Desk Hardcoded Credential Vulnerability Deep-Dive

On August 13, 2024, SolarWinds released a security advisory for Web Help Desk (WHD) that detailed a deserialization remote code execution vulnerability. This vulnerability, CVE-2024-28986, was added to CISA’s Known Exploited Vulnerability (KEV) catalog two days later on August 15, 2024. The advisory states: SolarWinds Web Help Desk was found ... Read More
CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability

CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability

| | Attack Blogs, Attack Research
On September 10, 2024, Ivanti released a security advisory for a command injection vulnerability for it’s Cloud Service Appliance (CSA) product. Initially, this CVE-2024-8190 seemed uninteresting to us given that Ivanti stated that it was an authenticated vulnerability. Shortly after on September 13, 2024, the vulnerability was added to CISA’s ... Read More
CVE-2024-23108: Fortinet FortiSIEM 2nd Order Command Injection Deep-Dive

CVE-2024-23108: Fortinet FortiSIEM 2nd Order Command Injection Deep-Dive

In November of 2023, preparing for a call for papers, I attempted to investigate the FortiSIEM patch for CVE-2023-34992. I kindly inquired with the PSIRT if I could have access to the most recent versions to some of their appliances to validate the patches, to which they declined. Acquiring access ... Read More
Rust Won't Save Us: Finding And Exploiting 0-Days In Security Appliances - Zach Hanley

CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive

In early 2023, given some early success in auditing Fortinet appliances, I continued the effort and landed upon the Fortinet FortiSIEM. Several issues were discovered during this audit that ultimately lead to unauthenticated remote code execution in the context of the root user. The vulnerabilities were assigned CVE-2023-34992 with a ... Read More
Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty”

Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty”

| | Attack Blogs, Disclosures
Earlier this year, soon after reproducing a remote code execution vulnerability for the Fortinet FortiNAC, I was on the hunt for a set of new research targets. Fortinet seemed like a decent place to start given the variety of lesser-known security appliances I had noticed while searching for the FortiNAC ... Read More
CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive

CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive

On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects […] The post CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive appeared first on Horizon3.ai ... Read More
Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities

Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities

| | Attack Blogs
Introduction Memory safety issues have plagued the software industry for decades. The Cybersecurity & Infrastructure Security Agency (CISA) has been leading a charge for secure-by-design and encouraging developers and vendors […] The post Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities appeared first on Horizon3.ai ... Read More
CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive

CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive

| | Blog, Red Team
On January 22, 2024 Fortra posted a security advisory for their GoAnywhere MFT product. This advisory details an authentication bypass vulnerability, CVE-2024-0204, that allows an unauthenticated attacker to create an […] The post CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive appeared first on Horizon3.ai ... Read More
MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise

MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise

| | Blog, Red Team
On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application which detailed a SQL injection leading to remote code execution and urged customers to update to the latest version. The vulnerability, CVE-2023-34362, at the time of release was believed to have been exploited in-the-wild as a ... Read More